5:35 p.m.
I have an test app that quite happily does an audit_set_pid and then sits
there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I pass to the
audit subsystem it complains that nobody is listening
I did audit_set_pid(....getpid...) - no (passes the pid of the manager
thread)
I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
(I dont really mean I did gettid - I did syscall(_NR_gettid))
I can see in the complaint message that I have given it the pid I intended
to.
I can see in gdb that my LWP id is the same as the one I send to the audit
subsystem - ie gettid worked.
Is this a known issue?
Heres the code snippet
void listen()
{
// register for events
pid_t mytid = (pid_t)syscall(__NR_gettid);
int res = audit_set_pid(m_auditFD, mytid, WAIT_YES);
res = audit_set_enabled(m_auditFD, 1);
assert(res >= 0);
static audit_reply reply;
while (true)
{
res = audit_get_reply(m_auditFD, &reply, GET_REPLY_BLOCKING, 0);
if (res < 0)
{
printf("exit audit %d %d\n", res, errno);
break;
}
printf("got event %.*s\n", reply.msg.nlh.nlmsg_len, reply.msg.data);
}
}
The thread sits waiting on the audit_get_reply call, so the FD is open
5:45 p.m.
On Friday, April 20 2007 6:35:34 pm paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then
sits
there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code in my
real app it runs in a different thread. No matter what PID I pass to the
audit subsystem it complains that nobody is listening
I did audit_set_pid(....getpid...) - no (passes the pid of the manager
thread)
I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
(I dont really mean I did gettid - I did syscall(_NR_gettid))
I can see in the complaint message that I have given it the pid I intended
to.
I can see in gdb that my LWP id is the same as the one I send to the audit
subsystem - ie gettid worked.
Is this a known issue?
A little more information would be helpful, such as distribution (I'm guessing
SuSE?), kernel version, audit userspace version, etc.
-Paul "The Other One" Moore
--
paul moore
linux security @ hp
6:08 p.m.
Sorry
Redhat es4 x86 monoproc
Kernel 2.6.9-34.EL
Audit 1.0.12-1.EL4
gcc 3.4.5 (redhat's)
-----Original Message-----
From: Paul Moore [mailto:paul.moore@hp.com]
Sent: Friday, April 20, 2007 3:45 PM
To: paul moore
Cc: linux-audit(a)redhat.com
Subject: Re: listening to /dev/audit in a pthread program
On Friday, April 20 2007 6:35:34 pm paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then
sits there reading /dev/audit.
It works fine if its in the lead thread. But when I run the same code
in my real app it runs in a different thread. No matter what PID I
pass to the audit subsystem it complains that nobody is listening
I did audit_set_pid(....getpid...) - no (passes the pid of the manager
thread)
I did audit_set_pid(....gettid...) - no (passes the pid of the LWP)
(I dont really mean I did gettid - I did syscall(_NR_gettid))
I can see in the complaint message that I have given it the pid I
intended to.
I can see in gdb that my LWP id is the same as the one I send to the
audit subsystem - ie gettid worked.
Is this a known issue?
A little more information would be helpful, such as distribution (I'm
guessing SuSE?), kernel version, audit userspace version, etc.
-Paul "The Other One" Moore
--
paul moore
linux security @ hp
6:13 p.m.
On Friday 20 April 2007 18:35:34 paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then
sits
there reading /dev/audit.
There isn't a /dev/audit in linux.org kernels.
It works fine if its in the lead thread. But when I run the same code
in my
real app it runs in a different thread.
The important detail is where the audit_open call is made. Netlink want to
send it to the same tid.
-Steve
6:43 p.m.
(Ignore my comment about /dev/audit - I wasn't thinking, yes I call
audit_open)
Thanks
In fact I was wrong. In both cases the listener loop is in a secondary
thread (gotta read my own code more closely). The differntiator is where the
audit_open is called relative to the other threads.
So a bit more hacking based on your reply shows the real rule :-
The pid passed to audit_set_pid must be the pid that called audit_open not
the pid that's listening
Thanks agin. All working now
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Friday, April 20, 2007 4:13 PM
To: linux-audit(a)redhat.com
Cc: paul moore
Subject: Re: listening to /dev/audit in a pthread program
On Friday 20 April 2007 18:35:34 paul moore wrote:
I have an test app that quite happily does an audit_set_pid and then
sits there reading /dev/audit.
There isn't a /dev/audit in linux.org kernels.
It works fine if its in the lead thread. But when I run the same code
in my real app it runs in a different thread.
The important detail is where the audit_open call is made. Netlink want to
send it to the same tid.
-Steve
6455
days inactive
6455
days old
linux-audit@lists.linux-audit.osci.io
4 comments
3 participants
participants (3)
-
paul moore -
Paul Moore -
Steve Grubb